- Daily Zen
The Pwnium vulnerability reward program, Google’s yearly bug hunting event where security experts flag up vulnerabilities will now be running all through the year instead of a one day affair.
Previously, Pwnium was held by the company annually at CanSecWest, a security conference in Vancouver to find security problems in its Chrome browser, Chrome OS and affiliated applications. Researchers were required to turn up to CanSecWest in order to present their findings in a one day event.
However, Google decided to expand the program running it throughout the year to make it more accessible to people and also to reduce security risks. This also bodes well for security research and will provide an unlimited pool of funds for rewards.
“We’ve received some great entries over the years, but it’s time for something bigger. Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers,” Tim Willis, a ‘hacker philanthropist’ on the Chrome security team, wrote on Google’s security blog on Tuesday.
Instead of requiring security experts to submit their bugs in March, pre-register, have a physical presence at the competition location, they can now submit their bugs wherever they are in the world, at any time. Whenever researchers come across bugs, they can submit it to Google’s Chrome Vulnerability Reward Program (VRP) and immediately become eligible for a cash rewards.
And also, instead of a limited prize fund to give out as rewards to those who come across an exploit, the search giant has announced unlimited amount of money to be claimed. This could probably help open up the competition to a much broader group of researchers around the world.
In a blog post announcing the change, Tim Willis actually said the total reward cash available was “$∞ million”, although he added: “Our lawyer cats wouldn’t let me say ‘never-ending’ or ‘infinity million’ without adding that ‘this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.’”
Currently, the top reward of offer is $50,000 (£32,000).
In addition to making the competition easier to enter, Google says the move will not only mean more exploits being detected and squashed, it’ll also see the end of the practice of bug hoarding in which security experts delay announcing their finding an exploit, waiting to present them during the CanSecWest event and claim their cash reward.